Successfully reported this slideshow.

Building a moat bastion server


Published on

  • Be the first to comment

Building a moat bastion server

  1. 1. Building a Moat
  2. 2. actually,a bastion server
  3. 3. What does it do?Provides a secure, single point of entry to your application servers
  4. 4. Why do you care?
  5. 5. What’s it look like?Service Requests SSH
  6. 6. Bastion System Setup wget ruby* MySQL* curl postgresql*xorg* nginx net-snmp-libs jasper-libs Uninstalltelnet everything! php* automake *X11 monit gcc DNS Name Server Mail Server ftp neon *devel* finger fetchmail net-snmp-libs
  7. 7. Bastion System Setup install netcat
  8. 8. Bastion System Setupupdate everything that remains! sudo yum upgrade
  9. 9. Bastion SSH ConfigChange Port from 22 Port 2222 Disable password logins/auth PasswordAuthentication no Disable PAM UsePAM no
  10. 10. Bastion IPTABLES DENY!!!!!/etc/sysconfig/iptables...*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]:OUTPUT ACCEPT [237:32957]-A INPUT -i lo -j ACCEPT-A INPUT -m state --state ESTABLISHED -j ACCEPT-A INPUT -m state --state INVALID -j DROP-A INPUT -p icmp -j ACCEPT-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPTCOMMIT
  11. 11. Bastion UserCreate a secure user group sudo /usr/sbin/groupadd moatCreate a “keymaster” Generate and upload an SSH key
  12. 12. Other Users Generate ssh-keys, use passphrases!sudo /usr/sbin/useradd -G moat -m new_usersudo mkdir -p /home/new_user/.sshsudo mv ~/ /home/new_user/.ssh/authorized_keyssudo chmod -R 700 /home/new_user/.sshsudo chown -R new_user:new_user /home/new_user/.sshecho Any_r@nd0m_p@55w04D | sudo passwd new_user --stdin
  13. 13. Protected Server Iptables...*filter:INPUT DROP [0:0]:FORWARD DROP [0:0]...-A INPUT -s <moat’s IP address> -p tcp -m tcp --dport 22 -j ACCEPT# HTTP and HTTPS-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m tcp --dport 443 -j ACCEPTCOMMIT
  14. 14. SSH Proxy through moat to access remote machinesHost app001 Hostname User app_user ProxyCommand ssh -q -p 2222 $ nc %h 22To SSH, just export your name and go!$> export MOAT_USER=george$> ssh app001george@app-001.blackboxservers.coms password: